Dangerous vulnerability in the popular instant messenger allowed to read the correspondence

Engineer from United States Nathaniel Sachi (Nathaniel Suchy) found that the application Telegram Desktop does not encrypt the correspondence of the user. He said this in his Twitter. On opening noticed the portal BleepingComputer.

“Telegram keeps your messages in an unencrypted SQLite database. At least I didn’t have to exert effort to find the key this time,” wrote Sachi, having accompanied a post the screenshot.

Thus, the program generates a correspondence in text files, which are system free. Telegram Desktop version supports password protection to prevent unauthorized app access, but this security setting does not involve encryption.

Sachi also tested the function of the “secret chat”. It turned out that all messages without exception, fall into one and the same database, regardless of whether they receive the advantage of end-to-end encryption.

The same applies to correspondence transmitted in the media. The engineer only had to change the extension type of the image to view it in the database. He expressed surprise at the fact that encryption Telegram does not apply to on-premises.

The staff application has not commented on the vulnerabilities found.

A few days ago hacker Matt Suiche (Matt Suiche) found the same vulnerability in the application Signal. He said that he did not expect such a failure from a program that promises secure messaging.

In early October, experts in the field of cybersecurity has discovered a vulnerability in Telegram, which revealed the IP addresses of the users. This happened during calls through instant messenger. Later, the application owner Pavel Durov said that the leak has affected only a small percentage of users.